grouper-dev - [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3
Subject: Grouper Developers Forum
List archive
- From: "Hyzer, Chris" <>
- To: " Mailing List" <>, "" <>, "" <>
- Subject: [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3
- Date: Fri, 20 Jul 2018 18:53:50 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Importance: high
- Ironport-phdr: 9a23:CsPVFhwQ6oommmbXCy+O+j09IxM/srCxBDY+r6Qd0ukWI/ad9pjvdHbS+e9qxAeQG9mDtbQc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPYghEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7S60/Vza/4KdxUBLmiDkJOSMl8G7UkMJ+gqFVoBO9qBNw2IPUep2ZOOZkc6/BYd8WW2xMVdtRWSxbBYO8apMCA+QDM+dYrojyuUEOoQOjDgSyBOPv0D5IhmT40aYn1OkhFB3J3AwgHtMPrnvUts74NKYJUe+p1qXI0C3DYO1Q2Tf78oTHbA0uoeyVUL92bMHfx04vFwbfgVWRr4zoJzKV1uIRs2eF9epgU/ygi3I5pw1rvDeg29oshpHUhoIN1F/E8yN5zJwrKtKlVU52Z8OvHphItyyCKYd5WN8uT3xttSon17EKpJu2fCYFxZg72xLSbv6KfJaH7x/sUeucJCl0iG54dL6nmhq//1Ssxvf4W8WpylpGsDdJn93WunwQ1RHe69CLSvVj8UqixTqC0gXe5fpZLUwqjqXWLoMuzqAqmZcStEnOHy77lUXqg6KTbEoo5PWk5P7hb777vJGTLZV0hRv7Mqk2msywH+A4Mg8WUmaD5emy06Hv8VPgTLtXlvM6j7DVsJfBKssFvKK5BBJV0po45Ba4Ejem1skXkWMfLFJffxKHk5bmNE3SIPD5Cve/hU6gkDB2x/DaOr3hBZLNLnvZnLj9erZ97lZQyAs1zd9B+5JZEq8NL+jvVkPssdHUEwI1PxGxzubpB9hxyp8SVGeND6CHP67fvlqF6+cxL+WQeYMZoDP9JOIk5/7qg385g1gdfayx0JsSdH+4HvRnIkSHbnr2mdoBEHwKsRYkQOz3kF2NTzhTZ3CoU60i+z47FZqqDZ3fSYC1nLyBwCC7E4VZZmBcDVCMDG/oeJueW/sVdSKSOdFukiYfVbW6T48h1AqutBPhy7Z5NObU+ysYtY7929hv4e3ciw0y+SJuA8uDzm6NUnl+nnkUSD8uwKB/vUt9x0+M0ahihPxYCMRT6O1TUgsjKJHT0fJ6Bsv2WgLAZdeJVE2mTsu8DTEwSNIx38EBY1x7G9q8khDPwTCmDKEImLyWHJY06L7T32DtJ8ZhzHbLzKYhj0MhQstSLW2pmLR/+xHJCI7PlUWZkLuqdaIA0yHT72qDyWuOvFpEUA5rT6nJR3EfZk3Krdvn/EPCSaGhCag5Pgdb18GNN7ZKOZXVigAMS+3kJczTeSesgGqqHj6JwK+BdoznZz9b0SnAQG0NkgQS+3nOEQklGm3p923ECyF2GEiqfljh6/JWqXWnQ1Uywh3QKUBtyuzxslQan/uBU/4Jm74Jpg8grSl5BlCww4iQBtad7UI1c79bfMsw+hJL2HzxtgphM4amIrw4wFMSblIz9wnhzRJqEoha1MEsqnQ3ygF/AaOezF5bcT6Eh9b9NqCdYj395heyc6PMn1jY1tGL/KwCwPU+t1j5ugy1TAwv/2gxgPdP1H7JrLXbHgcIFdraUlw27FIy87TRYjgv6pn81GZnd7SsvznEnd8lGb12mV6bY95DPfbcR0fJGMoACp32crZ4kkW1bh8CIOFZ/bI1OMXjbfadxaq3J7g8zim+gzFB54ZwmgKX+ixwR/SA/q5NwurQn27lHyz5kE/nt8n2nY5eYjRHG2G/2DrpHqZQfaY0YJ4GD2HoLsGqlZ1z
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
|
There is an XSRF security vulnerability in the Grouper UI. Grouper v2.2 and v2.3 are affected. The patches for this have no dependencies (i.e. you don’t have to install other patches) and are low risk lightweight patches, so you should apply these asap. https://bugs.internet2.edu/jira/browse/GRP-1838 2.2: grouper_v2_2_2_ui_patch_6 2.3: grouper_v2_3_0_ui_patch_45 There are patches for 2.2.2 and 2.3.0. Note, if you are using 2.2.0 or 2.2.1, you can still unzip that patch and manually apply it in the classes dir and it should work. If the java version of the patch does not match what you are running
we can recompile the source for your version. Thanks to Jerry Lee, Information Security Analyst, University of Auckland, for finding this and clearly describing it to the team. Reproduce this by appending this to your URL: /grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=%3Cscript%3Ealert(1)%3C/script%3E e.g. If the vulnerability exists, you will see this:
If the patch is applied and the vulnerability is fixed, you will see this:
Let me know if you have any questions. Thanks Chris Ps. Here is what I just did for Penn (in test and prod): 1.
Verify exists: 2.
Install patch [appadmin@fastprod-mgmt-01 patching]$ more run.sh #!/bin/bash export JAVA_HOME=/opt/appserv/common/java export PATH=$JAVA_HOME/bin:$PATH cd /opt/appserv/tomcat/apps/grouper/patching java -cp .:grouperInstaller.jar edu.internet2.middleware.grouperInstaller.GrouperInstaller echo echo "run this to complete the patching" echo 'clusterRun grouper "rm -rf /opt/appserv/tomcat/apps/grouper/work/*"' echo "clusterCopy.sh grouper /opt/appserv/tomcat/apps/grouper/webapps/grouper" echo "clusterTomcat grouper restart" [appadmin@fastprod-mgmt-01 patching]$ ./run.sh Do you want to 'install' a new installation of grouper, 'upgrade' an existing installation, 'patch' an existing installation, 'admin' utilities, or 'createPatch' for Grouper developers (enter: 'install', 'upgrade', 'patch', 'admin', 'createPatch' or blank for the default) [patch]:
Enter in a Grouper temp directory to download tarballs (note: better if no spaces or special chars) [/opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs]:
What do you want to patch? api, ui, ws, pspng, or psp? [UI]:
Where is the grouper UI installed? [/opt/appserv/tomcat/apps/grouper/webapps/grouper]:
What do you want to do with patches (install, revert, status, fixIndexFile)? [install]:
Do you want to fix the patch index file (download all patches and see if they are installed?) (not recommended) (t|f)? [f]:
Would you like to install all patches (t|f)? [t]: f Would you like to install patches up to a certain patch level? (t|f)? [f]:
Would you like to install certain specified patches? (t|f)? [f]:
t What patches would you like to install [comma-separated] (e.g. grouper_v2_3_0_api_patch_0, grouper_v2_3_0_api_patch_1, grouper_v2_3_0_ui_patch_0)? :
grouper_v2_3_0_ui_patch_45 ################ Checking patch grouper_v2_3_0_ui_patch_45 Downloading from URL: http://software.internet2.edu/grouper/release/2.3.0/patches/grouper_v2_3_0_ui_patch_45.tar.gz to file: /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45.tar.gz Unzipping: /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45.tar.gz Expanding: /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45.tar to /opt/appserv/tomcat/letters/tomcat_2v/patching/tarballs/patches/grouper_v2_3_0_ui_patch_45 Patch grouper_v2_3_0_ui_patch_45 is low risk, is a security patch GRP-1838: xsrf problem with /UiV2Public.index - added to end of property file: grouper_v2_3_0_ui_patch_45.date = 2018/07/20 14:44:49 This patch requires all processes that user Grouper to be stopped. Please stop these processes if they are running and press <enter> to continue... Applying file: /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$5.class Applying file: /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$6.class Applying file: /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$2.class Applying file: /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$1.class Applying file: /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$3.class Applying file: /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.class Applying file: /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$4.class Applying file: /opt/appserv/tomcat/apps/grouper/webapps/grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.java Patch successfully applied: grouper_v2_3_0_ui_patch_45 - added to end of property file: grouper_v2_3_0_ui_patch_45.state = applied [appadmin@fastprod-mgmt-01 patching]$ clusterCopy.sh grouper /opt/appserv/tomcat/apps/grouper/webapps/grouper COPY TO SERVER fastprod-medium-a-01: /opt/appserv/local/tomcat/letters/tomcat_2v/webapps/grouper /opt/appserv/local/tomcat/letters/tomcat_2v/webapps sending incremental file list grouper/WEB-INF/grouperPatchStatus.properties grouper/WEB-INF/classes/ grouper/WEB-INF/classes/grouper-loader.properties~ grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/ grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$1.class grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$2.class grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$3.class grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$4.class grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$5.class grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer$6.class grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.class grouper/WEB-INF/classes/edu/internet2/middleware/grouper/grouperUi/beans/ui/TextContainer.java sent 78534 bytes received 734 bytes 31707.20 bytes/sec total size is 120040994 speedup is 1514.37 Complete copy.sh on servers: fastprod-medium-a-01 fastprod-medium-a-02 fastprod-medium-a-03 fastprod-medium-a-04 fastprod-medium-a-05: /opt/appserv/local/tomcat/letters/tomcat_2v/webapps/grouper /opt/appserv/local/tomcat/letters/tomcat_2v/webapps [appadmin@fastprod-mgmt-01 patching]$ clusterTomcat grouper restart SERVER fastprod-medium-a-01: /sbin/service tomcat_grouper restart SERVER fastprod-medium-a-02: /sbin/service tomcat_grouper restart SERVER fastprod-medium-a-03: /sbin/service tomcat_grouper restart SERVER fastprod-medium-a-04: /sbin/service tomcat_grouper restart SERVER fastprod-medium-a-05: /sbin/service tomcat_grouper restart SUCCESS: grouper [appadmin@fastprod-mgmt-01 patching]$ 3.
Verify fixed |
- [grouper-dev] Important! Grouper Security Advisory in UI v2.2 and v2.3, Hyzer, Chris, 07/20/2018
Archive powered by MHonArc 2.6.19.